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About US 



Who we are? 



Humberto J. Abdelnur 



Radu State 



Olivier Festor 



9 Ph.D student supervised by Radu and Olivier 

• Fuzzing and Fingerprinting 

• http : //www. loria. fr/ -abdelnur 



• Ph.D senior researcher 

• Network and Service Management and VoIP Security Monitoring and 
Assessment 



♦ Ph.D research director 

9 Distributed network, security and service management 

• http: //www. loria. fr/ -festor/ 



Where we work? 



Madynes team 

9 http : //madynes . loria. f r 

INRIA Nancy-Grand Est, FRANCE 

• http : //www. loria.fr 

• http : //www. inria.fr 
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• Social threats (e.g. misrepresentation of entities, theft of 
services, unwanted contacts) 

• Eavesdropping; Interception and Modification (e.g. 
rerouting, alteration, hijacking) 

• Denial of Service (e.g. flooding, network services DoS, 
DDoS, malformed protocol messages, fake teardown of 
session) 

• Service Abuse (e.g bill bypassing, hijacking) 

• Physical access (e.g. social engineering attacks) 

• Interruption of services (e.g. loss of power, resource 
exhaustion, latency). 



1 VoIP Security Alliance, http://voipsa.org 
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• Why to kill a fly with a hammer? 

• Why limit to sniff network traffic if you can 
remote-eavesdrop 

• Operational toll-fraud on VoIP networks 

• VoIP is only the cherry on the cake - Owning the internal 
network only with VoIP 

• Exploiting weaknesses in standardized protocols (SIP) 

• The list may continue ... 
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"What i: 



answers : 



• When you have nothing to say ... 

• One message, just an empty packet can do it 

• Affected device Thomson ST2030 vl.52.1 




Thomson 5T2030 



DoS 



Vulnerability by KiF 
CVE-2007-4753 



"Live Free or Die Hard 
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Easy sta. 



• One INVITE message (even from an anonymous user) 

• SDP contains 2 connection headers 

• One is an invalid IP address I 1 

• All services of the PBX go down A 

• Affected product Asterisk 1.2.16, 



1.4.1 and older 



INVITE sipiAlexiffAsterh 

SDP-Body: 

c=IN IP4 192.168.1.2 
c=IN IP4 910.188.8.2 



Vulnerability by KiF 
CVE-2007-1561 
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Bevond CALEA / Bi, 



• INVITE an entity but ... reply yourself 

• Remote entity accept the call 
without asking 

• Eavesdrops the conversation taken 
in the room 

• Required stateful fuzzing 



Grandstream 
GVX-3000 INVITE s 
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100 Trying 



180 Ringing 



183 Session Progress 



RTP-Flow 



Vulnerability by KiF 
CVE-2007-4498 
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Toll-fraud with VoIP 




SIP Authenticat 


ion Background 3 



SIP-URI: Alex@PBX.l 
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SIP-URI: Bob@PBX.2 



INVITE sip:Alex@PBX.l 



ACKsip:Alex@PBX.l 



INVITE sip:A1ex@PBX.l 

401 Authentication required 
(Authentication Challenge) 

ACKsip:Alex<3PBX.l 



INVITE sip:Alex@PBX.l 
- {Authentication Response) 



ACKsip:Alex<5>PBX.l 



Media Data 



Proxy-Authenticate: Digest algorithm = MD5, 
realm ="domain. org", 
nonce="ld78fb72" 

Proxy-Authorization: Digest username = "Bob", 
realm= "domain. org", 
ur/="sip:Alex@PBX.l", 
response="4cc8alde5a60306c760" 
nonce="ld78fb72", algorithm = MD5 
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Toll-fraud with VoIP 

When Crypi 


to is not enough 



Digest Authentication is cryptographically sound but 

developers ... KBSUrnu 

Affected devices 

• Cisco CallManager 

CVE-2007-5468 

• OpenSer vl.2.2 

CVE-2007-5469 
Impact 



• Toll-fraud 

• Call-ID spoofing 



INVITE sip:Ak;> : r '[X._ 



SIP-URk Bcb@PBX.3 



INVITE sio.Ae- : l i : ■ i ■ i 



INVITE sip:Bob@PBX.3 
FROM: ]oe@PBX.2 
'Authentication Respi 




• Allows "Replay" Attacks but ... to any other entity 

• Digest- URI not checked to be the same as Request-URI 



• Can VoIP insecurity lead to compromise my network? 

• Can I own the internal network just from a regular phone 
call? 
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Owning the Network 




When web2.0 meet 


sSIP 



• XSS SIP attacks via VoIP phones 

• Extremly dangerous because users 
connect from the internal network 

• Many VoIP devices have integrated 
Webservers... 

• Easily integrated with tools like 
Beef, AttackAPI, XSSProxy, 
JIKTO... 

• Affected product: Linksys SPA- 941 
firmware v. 5. 1.5 



Lin ;y.; 



INVITE bob@PBX.l 

FROM: "<script>" 



Vulnerability by KiF 
CVE-2007-5411 
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Owning the Network 

The missing ingre 


dient: SQL 



• SQL Injections over SIP 

• SQL tables used for CDR 

• Unescaped inputs 

• Asterisk addons 



SSQLinjection= '",-10)/* 



INVITE sip:$SQLinjection@PBX 



Toll-fraud 



Vulnerability by KiF 
CVE-2007-54881 
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Owning the Network 




The missing ingre 


dient: SQL 



• SQL Injections over SIP 

• SQL tables used for CDR 

• Unescaped inputs 

• Asterisk addons 

• Got one SQL injection? 
Have one XSS for free! 

• Unescaped database inputs 

• FreePBX, trixbox 

• XSS via SQL injections 

through SIP 



$SQLinjection= '",-10)/* 



Q 



INVITE sip:$SQLinjection@PBX 

Toll-fraud 



$script= ' <script> 

alert ("Hello world") 

</script> ' ; 

$SQLinjection= ' " ' .2 hex ($script) .')/*' ; 



INVITE sip:$SQLinjection@PBX 
XSS 



Vulnerability by KiF 
CVE-2007-54881 
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Bunch of Features 



• How re-INVITEs work 
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INVITE sip: Bob@PBX.2 


SIP-URI 


Joe@PBX.3 




100 Trying 




Put 
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180 Ringing 








200 OK 








ACKsip:Bob@=PBX.2 
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Media Data 




Actual 


J 

INVITE sip:Joe@PBX.3 ^~~] 


Conversation 




200 OK 
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• We can ask to authenticate re-INVITEs? 
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SIP design 



We may use such authentication at will :) 



SIP-URI: Bob@PBX.2 
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Attacker 

UserX 

S1P-UR1:X@XXX.1 



UserC 

SIP-URI: Jo. 





INVITE sip:Joe@PBX. 2 






100 Trying 






180 Ringing 





INVITE sip :E 

Contact: sip:Piggy@PBX.2 

Record-Route: sip:X@XXX.l 





ACKsip:Bob@PBX.2 




Media Data 


Media Data 


INVITE sip:Alex@PBX.2 



401 Authentication Required 
( g ame Authentication Challenge) <" 



INVITE sip:Piggy@PBX. 2 
(Authentication Response) 



A' 



■Domain: n 





INVITE sip:Piggy@PBX.2 

FROM: Bob@PBX.2 



401 Authentication Required 
(Authentication Challenge) 



Csa 


INVITE sip:Piggy@PBX. 2 
FROM: Bob@PBX.2 
ne Authentication Respo 


«•) 


180 Ringing 




200 OK 






ACK sip:Piggy@PBX.2 






Media Data 





10$ per call 
plus ... 

Piggy@Hotline 



INVITE sip:Piggy@Hotline 
FROM: Bob@PBX.2 



ACK :.i;v;-:- ■ ... : :.- ■; 



The Demo as it is 



Attacker 
UserX 

SIP-URI: BadGuy@192.168.1.3 



INVITE sip:7940@192. 168. 1.21 
Contact: sip:941@192.168.1.4 
Record -Route: sip:BadBuy@192.168.1.3 
100 Trying 



130 Ringing 



ACKsip:7940(S192. 168. 1.21 



INVITE sip:941@192. 168. 1.4 



401 Authentication Required 
same Authentication Challeng e '" 

INVITE sip:941@192. 168.1.4 
(Authentication Response) 



Domain: ft 





INVITE sip:941@192.168.1.4 
FROM: 79400192.168.1.21 



401 Authentication Required 
(Authentication Challenge) 



-> 



NVITE sip:941@192.168.1.4 

FROM: 7940@192. 168. 1.21 

(same Authentication Respor 


se) 


180 Rinqinq 


200 OK 


ACK sip:941@192.168.1.4 


Media Data 





10$ per call 
plus ... 

941@192.168. 1.24 
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ISO Ringing 




200 OK 




ACKsip:7940@192. 168.1 
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Media Data 
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OutlL 



Fuzzing 

• How to find bugs? 

• Syntax fuzzing 

• Stateful fuzzing 

• Evaluation impact 
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How to find bugs? 




Fuzzing . . . one of many way 





"Thus, fuzz testing can only be regarded as a 
bug-finding tool rather than an assurance of quality" 4 

• Emerged as a branch of Software Testing 

• Important topic for Development Cycle/Independent 
Assessment 

• Based in input data validation 

• Random or invalid characters 

• Malicious data (e.g. string formatters) 

• Functional verification is marginal 

• Main objective is to find possible potential vulnerabilities 



http : //en . wikipedia . org/wiki/Fuzz_test ing 
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How to find bugs 



General limitations 



• Requires more specification as more precise it gets 

• Limited data generation 

• Hard to estimate what will be the generated 
output/expected answer 

• Success evaluation depends only in crashed or NOT-crashed 

• Unavailable to test specific states of the target (i.e. 
stateless) 

• Learning is not considered 

• Unable to decide when to stop 

• Time of testing 

• Quantity of tests or some new metrics? 



• Invalid messages may reveal vulnerabilities 

• Consider which item of the message should be fuzzed 

• Headers or input values may be fuzzed 

• Which value should be the one to replace 

• The new value may or may not be syntactically correct 



• Unexpected messages may reveal vulnerabilities 

• Decide what type of message to send 

• Decide when to send the next message 
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Fuzzer bases 



9 Easy to launch 

9 Non protocol aware mutations 

9 Just for mutations, not always useful 
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• Protocol aware messages 

pruvy 

9 Limited set of variables depending in the 
blocks definition 

• Requires manual description of which are the blocks 



(Version 



•■*■■ II) 

EH 



• Protocol aware messages 
9 Fine grained block based 

^ Specificity based on the grammar 

• Requires detailed grammar as input 




Create input grammars or block definitions = tedious job tll iM*i&i 



Making 



• Each protocol has its own grammar specification (e.g ABNF 

grammars as defined in RFC 2234) . Why not reuse it? 

• Full and precise description of the Protocol Syntax 

• Generic approach, allows Parsing & Fuzzing to any Rule of 
any Grammar 




MADBNF-KiFLibs 



- 



Tree 
Representation 



Sce nario 







„ **>!**« ^/NRM 



Gramma, 
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Message 


=, 


Header 1*SP 1*( "<" Opt-Value ")" ) 


o 


Infer rules from a Context-Free Grammar 


Header 


= 


("Query" / "Reply") 1*SP Entity 




(the use of an ABNF provides a complete knowledge 


Opt -Value 


= 


(Ack / Value / Version) 
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of the messages syntax) 

Admits any grammar to create new fuzzers 


Entity 

Ack 

Value 


= 


1*ALPHA 

"Ack" HCOLON 1*DIGIT 

"Value" HCOLON 1*ALPHA 




(i.e. genericity) 


Version 


= 


"Version" 1*SP DIGIT "." DIGIT 


• 


Allows choosing the fields to fuzz 

(i.e. specificity to generate the crafted message) 


ALPHA 

DIGIT 

HCOLON 


= 


%x41-5A 1 %x61-7A ; A-Z / a-z 
%x3Q-39 ; 0-9 

*SP ":'■ *SP 






SP 


= 


%x20 ; space 



Reply USER (Version l.l)(Ack : l)(Value : Alex) 
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Syntax fuzzing 




Syntax modifications 





• Any grammar rule may be generated (i.e. generation from scratch) 

• Any existing reduction may be replaced (i.e. mutation or merging) 

• Statistic measures may influence the reduction (i.e. learning from the past) 

• New rules can be defined on the fly (i.e. evolving rules) 

• Semantic computation may be applied from other nodes (e.g. checksum 



computations) 

Reply USER (Version l.lRAck : l)(Value : Alex) 



1 Request ROOT \x0 ' (Version l.l)(Ack : l)(Value : Ale: 

ige after (c I 
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Active Test 

State Mach 


n 9 Passive Testing 
ne State Machine 
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Behavior, 



• Collect traces under normal conditions to deduces normal behavior 

• Just observes the current traffic 

• Infers current state of the unit under test 

• Detects abnormal events 
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Entity A 



Entity B 

41 



enable 

7101 



NVITE 



100 Trying 



180 Ringing 



Current Stated 



JO 
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Behavior, 



Active Testing 



• Leads the target into a specific state 

• Specify which action must be taken at each step 

• Event-Driven Probabilistic Finite Automata based Scenarios 



Syntax Scenarios 

Syntax Syntax Syntax 

Fuzzer Fuzzer Fuzzer 

icenariol Scenario; Scenarios 






^ 



Stateful Scenario 



?ioo 

timeout= (0,5) 



! INVITE 
Scenarios 
weight = 




Current State 



Evaluation impact 

Reporting e, 



• If the reply messages are syntactically incorrect 

• The type of transition does not match any of the possible 
ones from the Passive State Machine 

• When a message other than the expected one in the 

SCGn^nO OCClirS (i.e. when the scenario is trying to avoid the normal protocol 
flow, e.g. for registering) 

• And when the device is not responding anymore 
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Abou. 



What you need to launch KiF? 



• Understand what you are trying to fuzz 

• Python and SIP knowledge required 



What KiF does not do! 



• Click & launch ... 

• Identify the exact problem and create a PoC 



Why to use KiF 



• Precision and specificity 

• Dynamicity, results may be always different 

• Adaptability 

• Stateful 



How can I get KiF? 



• KiF source is accessible under conditions 

O Follow the instructions at http : //kif . gf orge . inria . f r/ 

O Fill the license 

O Ground mail the License to us 
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